如果出现问题,我需要我的脚本向管理员发送电子邮件,而公司只使用 Gmail。按照几篇帖子的说明,我能够使用 .mailrc 文件设置 mailx。首先出现 nss-config-dir 错误,我通过从 Firefox 目录复制一些 .db 文件解决了该问题。到 ./certs 并在 mailrc 中指向它。已发送邮件。
但是,出现了上述错误。奇迹般地,.db 中有一个 Google 证书。它显示了以下命令:
~]$ certutil -L -d certs
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
GeoTrust SSL CA ,,
VeriSign Class 3 Secure Server CA - G3 ,,
Microsoft Internet Authority ,,
VeriSign Class 3 Extended Validation SSL CA ,,
Akamai Subordinate CA 3 ,,
MSIT Machine Auth CA 2 ,,
Google Internet Authority ,,
最有可能的是,它可以被忽略,因为邮件无论如何都能正常工作。最后,经过一番努力和谷歌搜索,我终于找到了摆脱这种烦恼的方法。
首先,将现有证书导出为 ASSCII 文件:
~]$ certutil -L -n 'Google Internet Authority' -d certs -a > google.cert.asc
现在重新导入该文件,并将其标记为受信任的 SSL 证书,ala:
~]$ certutil -A -t "C,," -n 'Google Internet Authority' -d certs -i google.cert.asc
此后,列表显示它值得信任:
~]$ certutil -L -d certs
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
...
Google Internet Authority C,,
并且 mailx 发送顺利。
~]$ /bin/mailx -A gmail -s "Whadda ya no" [email protected]
ho ho ho
EOT
~]$
我希望它能对那些想要解决错误的人有所帮助。
另外,我对一些事情很好奇。
如果碰巧 Mozilla 数据库中没有该证书,我该如何获取该证书?例如,有类似的东西吗?
~]$ certutil -A -t "C,," \
-n 'gmail.com' \
-d certs \
-i 'http://google.com/cert/this...'
答案1
嗯,这不是我想要的一行代码,但这是如何从头开始获取和导入证书的:
# Create a certificate directory
~]$ mkdir certs
# Create a new database in the certs dir
~]$ certutil -N -d certs
# Need now a chain certificate - May 18, 2015
~]$ wget https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer
# Need now a chain certificate part 2 - May 18, 2015
~]$ mv GeoTrust_Global_CA.cer certs/
# Fetch the certificate from Gmail, saving in the text file GMAILCERT
# Added the CA opion - May 18, 2015
~]$ echo -n | openssl s_client -connect smtp.gmail.com:465 -CAfile certs/GeoTrust_Global_CA.cer | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > GMAILCERT
# Import the new cert file into the new database in the new dir
~]$ certutil -A -n "Google Internet Authority" -t "C,," -d certs -i GMAILCERT
# Double Check
~]$ certutil -L -d certs
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Google Internet Authority C,,
耶!感谢这张票上的答案
答案2
这篇文章需要再次更新。我在 CentOS 7 机器上安装 mailx 时遇到了问题。邮件可以发送,但我仍然收到“认证错误:无法识别同行的证书颁发者。”错误。
我找到了解决方案这里,但必须翻译它。
这里有一个快的方法如下:
# Create a certificate directory
mkdir ~/.certs
# Create a new database in the certs dir (dont forget to enter your pass phrase!)
certutil -N -d ~/.certs
# Create three files for the cert chain
touch ~/.certs/google ~/.certs/geotrust ~/.certs/equifax
# Copy the cert chain for smtp.google.com:465 over to my_certs file (don't forget the -showcerts option, CTRL + C to end this command)
openssl s_client -showcerts -connect smtp.gmail.com:465 > ~/.certs/my_certs
现在复制每个证书,包括 --BEGIN CERTIFICATE-- 和 --END CERTIFICATE-- 并将它们粘贴到您之前创建的各自文件中(google、geotrust、equifax),然后保存这些文件。
# Open your my_certs file you made earlier and copy the google cert (usually the first one)
nano ~/.certs/my_certs
# Open your google file, paste the google cert that you just copied, and save and close
nano ~/.certs/google
# Open your my_certs file you made earlier and copy the geotrust cert (usually the second one)
nano ~/.certs/my_certs
# Open your geotrust file, paste the geotrust cert that you just copied, and save and close
nano ~/.certs/geotrust
# Open your my_certs file you made earlier and copy the equifax cert (usually the third one)
nano ~/.certs/my_certs
# Open your equifax file, paste the equifax cert that you just copied, and save and close
nano ~/.certs/equifax
现在我们必须将每个证书导入数据库。
# Import the google cert into the db
certutil -A -n "Google Internet Authority" -t "TC,," -d ~/.certs -i ~/.certs/google
# Import the geotrust cert into the db
certutil -A -n "GeoTrust Global CA" -t "TC,," -d ~/.certs -i ~/.certs/geotrust
# Import the equifax cert into the db
certutil -A -n "Equifax Secure Certificate Authority" -t "TCP,," -d ~/.certs -i ~/.certs/equifax
# Double check to make sure everything imported correctly into the db
certutil -L -d ~/.certs
示例输出:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Google Internet Authority CT,,
GeoTrust Global CA CT,,
Equifax Secure Certificate Authority CT,,
清理时间(可选)
# Remove all unnecessary files since the db has the certs :)
rm -rf ~/.certs/google ~/.certs/geotrust ~/.certs/equifax ~/.certs/my_certs
# Now run a test to make sure mailx is sending correctly now (don't forget to change [email protected] to the email address you'd like to send to)
echo "Your message" | mail -s "Message Subject" [email protected]
就是这样了,您不应该再收到“认证错误:无法识别同行的证书颁发者。”的错误!
笔记:
您可能已经注意到,我将目录从 更改/certs
为~/.certs
。 mailx 以 root 身份运行,因此我只是以 root/ 进行了这些更改。 “~/” 表示 HOME 目录,将它们放在一起~/.certs
意味着/root/.certs/
。 我确信您知道这一点,但嘿,以防万一您不知道谁可能会读到这篇文章!
万一你需要这个,这里是我添加到底部的配置选项/etc/mail.rc
# /etc/mail.rc options added to the bottom
set smtp-use-starttls
set smtp-auth=login
set smtp=smtp://smtp.gmail.com:587
set from="[email protected](Web01 Server)"
set [email protected]
set smtp-auth-password=your.pass
set ssl-verify=ignore
set nss-config-dir=/root/.certs
确保将 your.from.user、your.smtp.user 和 your.pass 更改为其各自的变量。
答案3
@pyr0ball,刚刚更新了你的脚本中的一些小改动,感谢你分享的好方法:)
#!/bin/bash
certdirectory="/root/.certs"
fail() {
ec=$?
[ "${ec}" == "0" ] && ec=1
echo -e "FAILED[code=$ec]: $@"
exit $ec
}
cleanup() {
rm /tmp/allgcert* || warn "Cleanup of files errored"
rm /tmp/gcert* || warn "Cleanup of files errored"
}
failclean() {
cleanup
fail "$@"
}
numcerts=$(echo -n | openssl s_client -showcerts -connect smtp.gmail.com:465 | grep -c "i:")
mkdir -p $certdirectory || fail "Unable to create certificates directory"
echo -n | openssl s_client -showcerts -connect smtp.gmail.com:465 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/allgcert || failclean "Unable to pull certs from smtp.gmail.com"
awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/{if(/-----BEGIN CERTIFICATE-----/){a++}; out="/tmp/gcert"a".crt"; print > out}' /tmp/allgcert
echo -n | openssl s_client -showcerts -connect smtp.gmail.com:465 | grep i: | sed -e 's,.*=,,' > /tmp/allgcertnames || failclean "Unable to output parsed names for certificates"
for i in $(seq 1 $numcerts) ; do
certutil -A -n "$(sed -n ${i}p /tmp/allgcertnames)" -t "TC,," -d $certdirectory -i /tmp/gcert${i}.crt || failclean "Unable to import certificates to database"
done
cleanup
答案4
根据此主题中的回复,我创建了一个小脚本,它将自动提取、解析和安装当前的 gmail smtp 证书。如果证书数量再次发生变化,它应该能够处理它。
#!/bin/bash
# This script pulls ssl certs for using gmail smtp. Adapted from the following config explaination:
# https://serverfault.com/questions/498588/smtp-gmail-com-from-bash-gives-error-in-certificate-peers-certificate-issuer
certdirectory="/home/user/.certs"
# Functions
fail() {
ec=$?
[ "${ec}" == "0" ] && ec=1
echo -e "FAILED[code=$ec]: $@"
exit $ec
}
warn(){
echo -e "WARNING $@"
}
cleanup() {
rm allgcert* || warn "Cleanup of files errored"
rm gcert* || warn "Cleanup of files errored"
}
failclean() {
cleanup
fail "$@"
}
# Count number of certs currently being used (can change from time to time)
numcerts=$(echo -n | openssl s_client -showcerts -connect smtp.gmail.com:465 | grep -c "i:")
# Create the certs directory if it does not exist
mkdir -p $certdirectory || fail "Unable to create certificates directory"
# Pull certs to a local file for parsing
echo -n | openssl s_client -showcerts -connect smtp.gmail.com:465 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > allgcert || failclean "Unable to pull certs from smtp.gmail.com"
# Parses certs output based on the number of certs, and outputs to individual files
if (($numcerts > 1)) ; then
# Pulls the first cert out as it needs one extra line
sed '1,27!d' allgcert > gcert1
# For subsequent certs, it multiplies the cert number by the number of lines in the file where it should exist
for i in $(seq 2 $numcerts) ; do
sed "$((2 + (((($i - 1)) * 26))))"','"$((1 + (($i * 26))))"'!d' allgcert > gcert${i}
done
fi
# Parses out certificate issuer names for installation
echo -n | openssl s_client -showcerts -connect smtp.gmail.com:465 | grep i: | sed -e 's,.*=,,' > allgcertnames || failclean "Unable to output parsed names for certificates"
for i in $(seq 1 $numcerts) ; do
certutil -A -n "$(sed -n ${i}p allgcertnames)" -t "TC,," -d $certdirectory -i gcert${i} || failclean "Unable to import certificates to database"
done
cleanup